Senior Third-Party Risk Analyst

Job Description

The Senior Third-Party Risk Analyst is a senior member of WGU's Risk Management Team and a subject matter expert in third-party and supplier risk management (TPRM). This individual brings deep, hands-on experience assessing the security posture of vendors, suppliers, and applications across the full third-party lifecycle, including intake, due diligence, contracting, ongoing monitoring, and offboarding. The Senior Analyst owns and matures the TPRM methodology, applies strong analytical thinking to translate complex findings into clear risk decisions, mentors junior analysts, and serves as a trusted advisor to procurement, legal, privacy, and business stakeholders. While the focus is third-party risk, this role also contributes to internal and enterprise risk efforts as needed.

What You'll Do

• Serve as the subject matter expert for third-party and supplier risk management, owning and continuously maturing WGU's TPRM methodology.
• Lead end-to-end third-party risk assessments across the full lifecycle, including intake, due diligence, contracting, ongoing monitoring, and offboarding.
• Analyze complex technical and non-technical evidence to determine likelihood, impact, root cause, and defensible risk ratings.
• Review assurance artifacts such as SOC 2 Type II reports, penetration test results, and security questionnaires to identify gaps, exceptions, and compensating controls.
• Assess fourth-party and downstream risk, including concentration risk within critical supply chains.
• Partner with procurement, legal, and privacy teams to review contracts, data protection addendums, and security clauses and recommend risk-reducing language.
• Mentor junior analysts, provide quality review of assessments, and act as an escalation point for high-risk or complex engagements.
• Lead exception-to-policy analysis, document residual risk, and guide risk acceptance, transfer, or mitigation decisions with appropriate stakeholder sign-off.
• Work with engineers, architects, and security professionals to understand the risk of a system, project, third-party, supplier, or application and recommend controls to mitigate identified risks.
• Provide guidance and assistance to operational teams and third parties to remediate security deficiencies and track remediation through to closure.
• Identify, develop, and recommend AI-driven efficiencies in the TPRM program and broader risk management practice.
• Maintain working knowledge of NIST, ISO, and PCI-DSS standards as well as FERPA, GLBA, and FTC regulations, and ensure assessments account for applicable obligations.
• Act as an advocate for Information Security, helping the business understand third-party risk, security standards, and best practices.

What You'll Bring

• Bachelor's degree in a related field with 5+ years (7-10 years preferred) of information security experience, including hands-on ownership of third-party or supplier risk assessments.
• Proven experience running or significantly contributing to a third-party or vendor risk management program end to end.
• Familiarity with NIST, ISO, and PCI-DSS standards.
• Strong analytical and critical-thinking skills with the ability to reason through ambiguity and make sound, defensible risk decisions.
• Experience with cybersecurity and privacy principles and the controls used to manage risk across data use, processing, storage, and transmission.
• Demonstrated experience recommending security safeguards, including contract and SLA language.
• Working knowledge of risk management best practices and frameworks.
• Excellent written and verbal communication skills with the ability to influence stakeholders and clearly articulate risk to leadership.
• Equivalent relevant experience performing the essential functions of this job may substitute for education degree requirements. Generally, equivalent relevant experience is defined as 1 year of experience for 1 year of education and is the discretion of the hiring manager.